The Twitter hack: how it started and how it worked
How it began and where?
Firstly there are conflicting reports about WHO exactly first noticed how this xss/Cross site script.
It would appear that at first – “A Japanese developer was the first to notice the weakness in Twitter’s site and says he reported it as far back as mid-August. He put up a demonstration – and then the exploits flourished” http://www.guardian.co.uk/technology/blog/2010/sep/21/twitter-hack-explained-xss-javascript “
The original discovery of the weakness, known as a “cross-site scripting” (XSS) hack, seems to have been made by a Japanese developer called Masato Kinugawa . He claims that he reported an XSS vulnerability to Twitter on August 14 – and then discovered that the “new” Twitter, launched on Tuesday 14 September, had the same problem. At about 10am (BST) he set up a Twitter account called “Rainbow Twtr” http://twitter.com/rainbowtwtr, which he used to show how the XSS weakness could be used to post tweets in different colours. It was not long before Kinugawa’s idea was picked by other coder’s.
A 17 year old in Australia cliams that he started yesterdays #twitterattack , (Note – unverified as of yet – but am chasing it up)
Magnus Holm http://twitter.com/judofyr/ was one another of those who spotted the idea’s possibilities and began playing with it – his code would retweet itself using the account of anyone signed in to Twitter.com when they moused over the link.
At first he thought the worm wouldn’t really do anything: ” this worm doesn’t really scale. the users can just delete the tweet
[http://twitter.com/judofyr/status/25111068660] ” – but within a minutes he saw that it had started spreading virally.
“holy shit. I think this is exponential” he tweeted [http://twitter.com/judofyr/status/25111521081] – adding, a few minutes later “This is scary [http://twitter.com/judofyr/status/25111639615].”
By now quiet a few others picked the idea up and fresh mutations began to appear. Some were used by a Russian web-site; others by a Japanese hard-core pornography site. The fresh mutation’s did not wait for unwitting users to put their mouse over the link – they turned the complete Twitter.com page into a “hyperlink”, so that any Twitter user who was signed in would unknowingly retweet the infected links to their followers.
While all this was going on, Twitter was only just waking up. At 2.35pm BST – or 6.35am at Twitter HQ – it put out its first warnings. 25 minutes later, it had solved the problem: “The XSS attack should now be fully patched and no longer exploitable. Thanks, those reporting it.” said [http://status.twitter.com/post/1161435117/xss-attack-identified-and-patched].
Only users of Twitter.com itself were affected; nobody using third-party software clients, which represent the majority of users, were infected because those programs correctly escaped the URL (see below, How the hack works).
How the hack works…
The exploit was a simple and well known piece of Javascript injection.
Suppose I tweet the following text: “http://pc-insecurities.com for the best offers for your new business!”
When you view this on the Twitter.com page, that becomes the following link :
<a href=” http://www.pc-insecurities.com ” class=”tweet-url web” rel=”nofollow”>http://www.pc-insecurities.com</a> for the best offers for your new business!”
The exploit attacked that link-making function. The raw text of the exploit tweet would read something like this:
Twitter didn’t protect itself from this ‘code injection’ properly, most likely the use of the @” character combination broke their [HTML] parser. The HTML parser’s job is to return the Code it receives to the page a user is looking at as ‘page source code’
So the link above, when posted to Twitter , would be conned into generating/returning the following page source:
<a href=”http://a.no/@”;onmouseover=”;$(‘textarea:first’).val(this.innerHTML);$(‘.status-update-form’).submit();”class=”modal-overlay”/ class=”tweet-url web” rel=”nofollow”>
The executable content ( onMouseOver=”stuff” ) has now been returned to the page source code. Not knowing any better, the browser executes the code.
Because it’s running in the user’s browser, it can do anything the user does; most variations used this power to re-post the content, which is why it spread like a virus. Users were tricked because they also formatted the block of executable code as black-on-black using CSS [Cascading Style Sheets, which determines the page layout].
Other versions were found by users to have different Javacode injections that produced other effects, such as porn site redirects, rainbow text in their tweets, and even dialog boxes designed to alarm the users, claiming their accounts had been disabled or their passwords stolen (they weren’t).
What else can we expect?Now of course, the big question is whether there is more to come. I would say that there is little doubt Twitter will be hacked again , as All major sites are targets.
However , on this occasion and despite the time difference which led to a slower response than I would have expected from Twitter, their Team did amazingly well and they had the problem patched swiftly.
Many thought that all that was needed was for the ‘OnmouseOver’ code to be blocked , but the truth is that those who wanted such action had no idea what they were talking about.
Twitter took the steps that Sanitised their core and thus prevented many other variations of the exploit which could have occurred.
We can expect many more exploits , but for now Twitter is safe once again.
Today I tested a few smaller sites that run similar systems to Twitter and found that 5/5 were indeed vulnerable and that they have learned nothing from Yesterday.
WATCH THIS SPACE
Leave a Comment
No comments yet.
Comments RSS TrackBack Identifier URI
Leave a comment
RSS FEED from my Business Website
- www.twitter.com were affected. You can find out how exactly the hack worked further down the page. Twittertip [...] No re […]" class="rsswidget">#Twittertip for non-client users – please share
- http://www.sophos.com/blogs/gc/g/2010/09/21/twitter-onmouseover-security-flaw... (Screen clipping taken: 21/09/2010| 13:43) So , am using my tweetdeck and notice a pattern emerging – there are suddenly a LOT of tweets with the words […]" class="rsswidget">#Twitter is being manipulated by the ‘onmouseover’ code – Read The #TwitterAttack latest and how to Stop it!
- ATM Machine’s – Jackpotting #hack #demo – Blackhat2010
- Viking Direct have some excellent deals for Printers under £50 at the moment.
- 1000 clubpoints for switching to Tesco Broadband , and from £8.99 a month.
- Home Secretary Theresa May - Ministerial Written Statement 8th September 2010: Extradition Review - will this help Gary McKinnon or not ? September 11, 2010
- Daily Telegraph: New powers to block Britons from extradition September 7, 2010
- PM David Cameron raises the Gary McKinnon extradition case with President Barack Obama July 21, 2010
- Another Parliamentary Written Answer about the current status of the Gary McKinnon extradition case June 22, 2010
- Home Secretary Theresa May is waiting for further representations from Gary McKinnon's legal representatives and from other supporters June 9, 2010
- Theme: Neo-Sapien by WP Designer.
- Blog at WordPress.com.
2010-09-22
The #Twitterhack: How it started – how it worked and what comes next? Should Twitter users be worried? « Cliffsull's Blog
